AcidRain Malware Responsible for Attack on Viasat

Viasat confirmed that it had pinned down the malware responsible for the cyberattack that took down the company's services in February. The malware used is tentatively named AcidRain and has destructive capabilities.

Viasat, a worldwide communications provider headquartered in the US, suffered service outages in Ukraine and several other European territories in late February 2022. Now, researchers with SentinelLabs claim that it was the AcidRain malware that was used in the attack that brought Viasat infrastructure down.

AcidRain used in earlier attacks

AcidRain is a Linux binary engineered to wipe networking equipment, including modems and routers. Researchers believe it was the same malware that took down Viasat's hardware in late February.

According to the SentinelLabs team, there are certain similarities between AcidRain and a component of the VPNFilter malware. VPNFilter has been around for a while now, with the FBI prompting all router users, even those at home, to reboot their routers back in mid-2018, to avoid potential VPNFilter attacks. VPNFilter was then associated with the Russian state-backed threat actor going by the name of Fancy Bear or APT28.

As per information released by Viasat itself, the attack that knocked service offline in February was focused on just one portion of the company's KA-SAT network that is run and operated by a subsidiary.

Malware rewrites router firmware

When it comes to how AcidRain knocks out hardware, Viasat stated that the malware rewrites important portions of the flash memory on the devices, making it impossible for an infected device to communicate with the network. However, the damage is not permanent and flashing with factory firmware should be able to get the units back in order.

It seems the point of entry for the threat actor in this attack was a poorly configured VPN point. This allowed the hackers to access the KA-SAT management components located on the network.

ZDNet reported that Viasat confirmed that the company's internal data lines up with the findings of the team at SentinelLabs, except for one point - SentinelLabs believes the attack might have been supply-chain based, while Viasat claims that's not the case.

The AcidRain malware is the latest in a series of destructive malware payloads deployed on Ukraine's territory since the start of the Russian invasion of the country. Previous payloads were not focusing on networking equipment but rather on storage and data wiping.